JS: Move hasWildcardReplaceRegExp to a shared place

2025-12-21 19:26:31 +01:00 · 2024-03-13 09:19:26 +01:00
parent 4043bc13ab
commit e66f27cfe3
3 changed files with 12 additions and 15 deletions
--- a/javascript/ql/lib/semmle/javascript/StandardLibrary.qll
+++ b/javascript/ql/lib/semmle/javascript/StandardLibrary.qll
@@ -154,6 +154,15 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
      new = ret.getStringValue()
    )
  }
+
+  /**
+   * Holds if this call takes a regexp containing a wildcard-like term such as `.`.
+   *
+   * Also see `RegExp::isWildcardLike`.
+   */
+  final predicate hasRegExpContainingWildcard() {
+    RegExp::isWildcardLike(this.getRegExp().getRoot().getAChild*())
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -424,7 +424,7 @@ module TaintTracking {
      // In and out of .replace callbacks
      exists(StringReplaceCall call |
        // Into the callback if the regexp does not sanitize matches
-        hasWildcardReplaceRegExp(call) and
+        call.hasRegExpContainingWildcard() and
        pred = call.getReceiver() and
        succ = call.getReplacementCallback().getParameter(0)
        or
@@ -435,12 +435,6 @@ module TaintTracking {
    }
  }

-  /** Holds if the given call takes a regexp containing a wildcard. */
-  pragma[noinline]
-  private predicate hasWildcardReplaceRegExp(StringReplaceCall call) {
-    RegExp::isWildcardLike(call.getRegExp().getRoot().getAChild*())
-  }
-
  /**
   * A taint propagating data flow edge arising from string formatting.
   */
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
@@ -5,12 +5,6 @@
 private import javascript
 private import semmle.javascript.dataflow.FlowSummary

-/** Holds if the given call takes a regexp containing a wildcard. */
-pragma[noinline]
-private predicate hasWildcardReplaceRegExp(StringReplaceCall call) {
-  RegExp::isWildcardLike(call.getRegExp().getRoot().getAChild*())
-}
-
 /**
 * Summary for calls to `.replace` or `.replaceAll` (without a regexp pattern containing a wildcard).
 */
@@ -19,7 +13,7 @@ private class StringReplaceNoWildcard extends SummarizedCallable {
    this = "String#replace / String#replaceAll (without wildcard pattern)"
  }

-  override StringReplaceCall getACall() { not hasWildcardReplaceRegExp(result) }
+  override StringReplaceCall getACall() { not result.hasRegExpContainingWildcard() }

  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
    preservesValue = false and
@@ -43,7 +37,7 @@ private class StringReplaceWithWildcard extends SummarizedCallable {
    this = "String#replace / String#replaceAll (with wildcard pattern)"
  }

-  override StringReplaceCall getACall() { hasWildcardReplaceRegExp(result) }
+  override StringReplaceCall getACall() { result.hasRegExpContainingWildcard() }

  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
    preservesValue = false and